malwarewikiaorg-20200223-history
DataKeeper
DataKeeper is a ransomware that runs on Microsoft Windows. It was discovered by S!Ri. This malware is developed using Microsoft .NET Framework and is provided as RaaS (Ransomware as a Service). This means that any aspiring cyber criminals can download this malware and distribute it to generate revenue. It is aimed at English-speaking users. DataKeeper maintainers are encouraging users to generate ransomware samples and distribute them to victims, with the promise of receiving a share of the ransom fee in case victims pay to decrypt their files. But while the Saturn crew made their commission known upfront (30% of the total ransom fee), the DataKeeper crew doesn't disclose the amount of Bitcoin they keep from affiliates. Sections are available in the Data Keeper RaaS backend that allow users to enter their Bitcoin wallet where to receive their "earnings," sections where they can generate the ransomware's encryptor binary, and a section from where they can download various files, including a sample decrypter. Payload Transmission DataKeeper is distributed on cybercrime forums. It can also be spreaded by hacking through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. Infection Victims infected with versions of this ransomware will have their files encrypted with a dual AES and RSA-4096 algorithm. Data Keeper also enumerates and tries to encrypt all networks shares it can get access to. Data Keeper doesn't add a special extension at the end of encrypted files, meaning victims won't be able to tell what files are encrypted unless they try to open one. This is actually quite clever, as it introduces a sense of uncertainty for each victim, with users not knowing the amount of damage the ransomware has done to their PCs. Once files are encrypted, using them becomes impossible. After successfully encrypting data, DataKeeper creates an HTML file ("!!! ##### ReadMe ##### !!!.htm") and places it on the desktop wallpaper. The new HTML file informs victims of the encryption and encourages them to pay a specific ransom in the Bitcoin cryptocurrency. Victims are then supposedly able to download a decryption tool. This malware encrypts files using AES - a symmetric encryption algorithm that uses an identical key to encrypt and decrypt files. Each victim receives a unique key, however, these keys are stored on a remote server and victims are encouraged to pay ransoms for their release. The cost cannot be confirmed, since distributors have the ability to set their own costs. Generally, cyber criminals demand $500-$1500. No matter how low or high the cost, never pay these people. Research shows that cyber criminals are very likely to ignore victims once payments are submitted - paying typically gives no positive result and users are scammed. The user is strongly advised to ignore all requests to pay any ransoms. There are currently no tools capable of file decryption of files compromised by DataKeeper and the situation will probably remain unchanged. The only solution is to restore everything from a backup. The ransom note says the following: All files in this directory have been encrypted. For decrypt files: Download Tor Browser Run it For create decryption keys, copy link at the bottom of this page and paste to the address bar and go it If count of links greather than one, next link must be added ONLY AFTER PAYMENT FOR PREVIOUS KEY. Links for create decryption keys: (Do not change the "token" parameter otherwise your data will be lost) REDACTED_URL Category:Ransomware Category:Microsoft Windows Category:Win32 Category:Win32 ransomware Category:Assembly